Improving Cybersecurity for Space Operations

Watch the Video

---

Read the Transcript

---

This transcript was generated with the assistance of AI. Please report inconsistencies to comms@afa.org.

Charleen Laughlin:

All right. Hey, good afternoon and welcome to our panel on improving cybersecurity for space operations. I’m Char Laughlin, the deputy chief of space operations for cyber and data for the United States Space Force. And I’m really honored to moderate this panel at a discussion — this discussion at a time when space is no longer just a strategic frontier. It’s an operational domain where cyber threats are real, persistent, and rapidly evolving. As missions migrate from terrestrial networks to orbital platforms, we face a new set of challenges. Contested environments, limited bandwidth, autonomous systems, and the need for resilient architectures that can defend themselves in real time. Cyber security in space isn’t just about protecting data, although that’s very important. It’s about preserving mission assurance and strategic advantage. Today we’ll hear from industry leaders who are shaping the future of cyber defense in space. And we’ll explore how technology, policy, and partnerships must evolve to secure this domain. I’m really thrilled to be joined by the panelists who I’m going to introduce very briefly. We had this pre-meeting a few minutes ago where we trauma bonded over things like the risk management framework and E-MAS and CMMC. And we almost didn’t even make it out of the room. So I have — so one, I have no hope that we’re going to make it through all of the questions that we talked about in advance. But two, I know that you’re in for a really exciting discussion today. So I’ve got with me Ron Bouchard, the managing director in CISO at Google Public Sector. Chris Cleary, vice president global cyber practice at Mantec. Alice Fakir, a senior partner and vice president at IBM. And then Brad Pyburn, managing director at Deloitte. All right. So we’re just going to go ahead and jump in. Cyber security is often discussed alongside concepts like cyber survivability, resiliency, and mission assurance. But these terms mean different things depending on your perspective and your role. Whether you’re working in acquisition and policy and operations. So I’d like to start off by having each of you briefly introduce yourself, 30 seconds or less, and your role and share your thoughts on the definition of cyber security and how you distinguish it from related ideas like resilience and survivability. We’ll start with you, Ron.

Ron Bushar:

Easy assignment. Thanks, Char. Thanks, everyone, for being here. And my role at Google — well, before I get to that. So former Air Force information operations officer way back in the day. So cyber operations, red teaming. A lot of my training and really career has been focused on thinking like an adversary. Thinking like a threat actor and what motivation, intent, and capabilities are targeting our system. So a lot of the way I come at problems is from a mission assurance perspective. So what is it going to take to defeat those adversaries or at least deny or degrade their capabilities while we’re trying to accomplish the mission. At Google, I came from a Mandian background, which is all about responding to threats, right? We would be on the front lines every time a company or an organization or an agency was hacked. And we would do the forensics. We would do the CSI, right? What happened? Who did it? How they do it. But we weren’t there actually preventing much, if I’m being honest with you. So now my role at Google, the mindset has shifted. It’s much more of a global platform protection perspective. We can’t afford to be on the back foot if we’re running 30% of the world’s Internet traffic and we’re serving up billions of users a day on our platforms, right? And we’re protecting and enabling critical defense missions, national security missions for this country. We really can’t afford to be kind of back footed and responsive. That’s always going to be in your playbook, but we really think proactively now about maybe it’s from our conversation a little bit of a loaded term, but risk management. But also outside of the compliance framework, what does it take to operate really scalable systems with automation? And, of course, I’ll be the first to introduce AI as the buzzword here. That is a pathway that we’ve been doing for a long time or a mechanism to really scale out capabilities from a security perspective. And I’m sure we’ll get into some of that as well.

Christopher P. Cleary:

So my name is Chris Cleary. I’m the vice president of global cyber practice at Mantec. Also Navy. So I feel a lot of my element. Retired information warfare officer, prior enlisted at some times Naval Academy was in there a little bit as well. I went on to become the principal cyber advisor for the Department of the Navy, where Wanda kept me out a lot of trouble because she knew how the Pentagon worked and I didn’t. So I owe a lot of credit to the Air Force for keeping me straight. And I see Wedge in there as well, who taught me how to not run with scissors a little bit as well as an Air Force guy. So there’s a lot of mentorship in this room helping me do that job. I love the question because we’re again, this is what we were talking about just a few minutes ago. We should have just recorded that conversation and press play in here. You know, cybersecurity versus resiliency versus survivability. I think one of the more interesting things is when you bring that word survivability into the equation. You know, we saw the demo of the F-15. You know, the F-15 is not built to be resilient. It’s built to be survivable. You know, chaff launchers, electronic warfare gear. You know, it’s all about that plane surviving an engagement with sophisticated, well-resourced, dedicated adversaries that have their own ways to try and knock that thing out of the air. So when you introduced information systems into all this, cyber, however you choose to define it, which we could probably argue that word just here alone. You know, how do you begin to introduce things like survivability into cyber systems because there’s a cost associated with that. And, you know, we were using, I’ll say it again. You know, for those of you who have little kids that have to stand in front of the school bus to get on, you know, and you need a raincoat, you’re going to go to Target and you’re going to buy them the $12 raincoat. If you’re going to go climb, you know, Mount Everest, you’re not going to Target to buy a raincoat or, you know, you’re going to go to, you’re going to buy an Arterix, you know, $6,000 jacket because that jacket might keep you alive at the end of the day. They’ll both keep you dry in the rain. But one is certainly more resilient and survivable based on the conditions and the environment you’re going to put into it. And I think this is the debate that goes back and forth with government and industry is if you want an information system that is built to be survivable, well, there’s a cost associated with that. There’s development costs. There’s, you know, again, nobody probably blinks an eyelash to talk about the chaff launchers and the Joint Strike Fighter. And nobody’s going to say, well, do we really need those? No, that’s a cost that goes into that platform. What are those things that are required in information systems and future cyber systems to make them be survivable against well-resourced, dedicated, sophisticated adversaries?

Alice Fakir:

Thank you. I’m going to reintroduce myself. Alice Fakir. I lead Cybersecurity Services at IBM Federal. And as Char mentioned, we were having this conversation earlier about earlier days in our career and how has cybersecurity evolved from the perspective of what she mentioned, different operational policy, et cetera, perspectives. I started out my career early on in systems development. And in the early days of the Gulf War, we were starting to see more significant evidence of adversaries having intelligence about where specific supplies were being dropped. And what we found was that the logistics systems were being penetrated and hacked. And I started out my career in enterprise cybersecurity. And so one of the things that we learned very early on was understanding when an enterprise IT system turns into a mission system, right, to support these long-term wars where we’re trying to provide supplies, communications, and support the mission. And I think what’s interesting about the colleagues that I have that are on the panel here today is that everyone’s going to give you a different perspective about why cybersecurity is important and where it’s important within the mission space. And I can’t wait to get to those conversations. So I’ll end here.

Brad Pyburn:

Hey, good afternoon. This is Brad Pyburn. Really happy to be on stage with these amazing leaders. And it feels really good to be back at AFA after retiring last year. I see some familiar faces in the audience, so look forward to connecting. Retired as chief of staff at U.S. Cyber Command last summer, and before that I was DECOM at 16th Air Force Staff Cyber. I won’t go through my whole litany, but that gives you a sense of kind of where my mind is. Really proud to be a managing director at Deloitte, working, of all things, cyber, working with the Air Force, the Space Force, and U.S. Cyber Command to really try to help us move forward together in an ecosystem. When you talk about cybersecurity resilience and survivability, I’m wondering if I could pull the crypto hint card here and go into a time warp on stage where 30 seconds is more like 5, 10, 19 minutes and really have a good discussion. I’m kidding, Krypto. 55 seconds. They were timing me because I was giving you a hard time. But let me just try to really quick put a finer point on it and we can move on to the questions. When I think about survivability, I think about an individual asset, like you talked about, like a Super Hornet, whatever the jet may be, and all the characteristics it needs to be a hard target. But guess what? The adversary has a capability with a PK and precision and lethality that it can put against your capability. So if you have one asset and its survivability is at a certain range, you have to have an ecosystem that’s resilient. And now you’re talking about multiple assets that can absorb that damage, that impact, that attack, and you can still conduct your mission. How does cybersecurity play into all that? It underpins everything. You can’t be survivable unless you have a very capable cybersecurity apparatus on your platform. You can’t be resilient unless you have the same thing. And the last thing I’ll say is cybersecurity, the way we look at it, it’s passive. You also have to conduct defensive cyber operations, which are those things you do in the face of an adversary. So you have to build that into your platform so that you can be survivable and resilient. Just say it was less than Krypto. That’s all you need to say, Chief.

Charleen Laughlin:

Crypto, we love you. We do. We really do. You can never have enough Krypto, General Hensley. All right. So I hope you’re all excited. Just from the introductions alone, what I’d like to do now is take this conversation and juxtapose it or lay it on top of a space architecture. Right? So now we’re going to talk about evolving cyber defense for space. We rely on these layered architectures that include ground systems, data links, as well as on-orbit assets. But as this architecture becomes more complex, more distributed and dynamic and begins to include commercial and international partners, traditional cybersecurity methods like continuous monitoring and patching become a little bit more difficult, especially in contested environments. So I’d like to understand how you’re rethinking cyber defense to meet the unique demands of this emerging space infrastructure and operations. And we’re actually going to start with you, Brad. We’re hoping you can tell us a little bit about some of the lessons that Deloitte has learned from your operations on orbit.

Brad Pyburn:

Yeah. If you saw the commercial when you were coming in, and if not, we’re happy to talk to you about it. But Deloitte doesn’t just do taxes and audits. Okay? We are an amazing organization. But this idea that if you’re going to be able to have a resilient, survivable space architecture and be a good partner, you’ve got to be where the rubber meets the road. You’ve got to be in space conducting operations. So Deloitte launched a satellite, Deloitte 1, and it has amazing RF capabilities, collection, lots of different payloads that are on that particular satellite. But of interest to this crowd is the ability to conduct training operations, test it, even attack it, and make sure it’s resilient and responds in the way that you want it to respond. So think training range in space to perfect your operations and to perfect your defensive maneuver against adversary. The other part of this is a capability called silent shield, which is an intrusion detection system, which coming to a theater soon near you will include prevention capabilities. And when I think about my previous job at U.S. Cyber Command and in AF Cyber, building out cyber protection teams that were going to be aligned to U.S. Space Command to defend space capabilities on orbit. How can you do that? Well, now you have a way through some lightweight tech and an out-of-band capability to do exactly that. So you think about operators defending assets on the ground through that connection in space. So that’s one way we’re thinking about it. And over the next 18 months, Deloitte’s going to put up eight more satellites. But again, it’s thinking about it from a you’ve got to be able to respond and act in the presence of adversaries in the domain of warfare you’re going to operate in, in a way that’s powerful. And you’ve got to have partnerships. There’s a whole ecosystem that we’re connecting to, nontraditional partners that bring unique capabilities to bear. And so I think this is something we’re excited about exploring more with the department. I think later in this discussion we’ll talk about innovation and those kind of touch points. But I’d be remiss. I would like to point to this young man right here, Ryan Roberts, in the front row, the vision and the brainchild behind this. And if you think about everything it took to launch a satellite, I mean, he’s got great stories. So we’re learning with our partners what it means to put a constellation in orbit, make it resilient, make it survivable, and be able to have that out-of-band defensive capability.

Charleen Laughlin:

That’s awesome. Thank you. Now we’re going to pivot to something a little bit more terrestrial. Ron, I’m hoping that you can talk a little bit about the lessons that we’ve learned from either operating or watching others operate in a contested environment.

Ron Bushar:

Yeah, thanks. So we were on the front lines in cyber during the invasion of Ukraine. And the first indicators, obviously, of the operation there was outages, right, for commercial satellite systems, Viasat. Turns out when we investigated the root cause and kind of walked back the methodology, the GRU had been in the main modem systems the way that firmware was deployed to systems on Viasat systems for about six to eight months prior to the invasion. So it was more of a tactical exercise on their part in preparation for, you know, combat operations. But what you can learn from that is, you know, you could have taken a much more sophisticated approach of maybe trying to actually get onto, you know, space vehicles and, you know, cutting edge sort of attacks in space, but it wasn’t necessary, right. They accomplished a tactical mission objective, taking out civilian communications, right, in the country. And by the way, it’s very accurate, right. So they were able to target very specifically just the modems and just the downlinks in the country, nowhere else Viasat was operating in Europe at the time, right. They took their time, it was very precise, and it was effective, right. They made it such that the only way to restore communications was to replace, physically replace those devices, right, through the mechanism they used to deploy this destructive malware on those modems. So that’s an example where, and it’s front of mind for me in future conflict zones, right, of how do we think about, now we might be sitting here as a military organization saying, well, we don’t use civilian systems. But I would challenge you a little bit to say, especially if we’re operating in a coalition environment, what are our partners, how do they use commercial communication systems, what are they relying on. I think we’re all becoming much more reliant on commercial communications mechanisms, terrestrial, and, you know, LEO assets. And so it’s worth at least thinking through kind of what we were talking about. What if that asset goes away, right. What if you lose commercial comms, what’s your fallback, and then what’s your degradation, right. Maybe you’ve got really high bandwidth on terrestrial systems. We’re working on this all the time at Google because we can’t use space assets, candidly, because of the bandwidth we need, right, to push YouTube cat videos around the world, amongst other things. And so, but because of the scale, the planet scale of our infrastructure, we lay our own fiber all over the world, right. And we’ve been thinking very carefully about where do we need to build resiliency into key fiber links, the Pacific side, Atlantic side, across Europe. Specifically because it’s fairly easy, right, either from an OT perspective, or frankly just a physical attack to disrupt those fiber links. And so how do you think about making it more resilient and failover. But you have to also play this out, right. What if you lose them all, okay, what is your failback communications plan. So I would, one of the things that I think is interesting to think about in the context of cyber and all of this is, we know the key assets in both, I would say commercial and national security, that are going to be targeted in the run up to or the preparation for a physical conflict. And the more you have assets and visibility for indicators and warning in those systems, it can give you really, really good information and intelligence about adversary intent, right, and timing, and where they’re targeting. So we’re really pushing this concept of instrument everywhere, or as much as you can across critical infrastructure. This is obviously one of those sectors that is really important to instrument across, again, coalition, partner nation, right. And to get an understanding of where, not the obvious, I’d say more obvious intelligence collection capabilities are happening, but where those implants, those more subtle positioning, pre-positioning and implant activities are happening in the run up to or preparation for disruption.

Charleen Laughlin:

Yeah, no, that’s awesome. And then, you know, you’re talking about really resilience and building that into your comms. So, Chris, I want to go over to you to wrap up. Particularly drawing on your time as the Navy’s principal cyber advisor with oversight and responsibility to secure these massively distributed naval architectures. What are some things that we should learn as we’re looking to apply those ideas to space now?

Christopher P. Cleary:

So, yeah. So, when the PCAs all came into existence, other than trying to be smothered by a pillow, so year one of PCA world was just try to survive. Wanda and I, we became very tight friends. Well, what also happened is you found little lanes in the road that nobody was really doing a lot with. And critical infrastructure became one of these, hey, nobody was doing anything with it. Secretary said, Chris, just go find something to go do. So, I started going down really deep this critical infrastructure path. And I became really good friends with John Garskut, OSD, and Darrell Hagley with the Air Force. One of the things I found in the Air Force that I always really liked was the Crocs and the Crows office. I was trying to get the Navy to just rip the cover page off of both of those offices and create something very similar in the Navy. But so as John and Darrell and I would all kind of beat our heads against the wall trying to get people to recognize this as an area, we started going down these processes of discovery. And what you found is when you did good old mission analysis, right, you know, center of gravity analysis, you know, critical capabilities, critical requirements, critical vulnerabilities associated with those. When you started underlaying infrastructure into the way that we have to support these mission systems, you say, okay, well, let’s look at it through the lens of, let’s say, the Indo-Pacom commander. And let’s look at it through the lens of, let’s say, the Navy. Okay, well, when I started looking at that commander, that mission, there were certain areas that became more important than others. Guam, Hawaii, Naval Observatory, Norfolk. When you looked at what made those facilities what they were, you started then mapping them to mission critical facility-related control systems. There was a finite number that mapped to TCAs and DCAs. And you could kind of begin to get your hand around this problem because you weren’t trying to boil the ocean. You really could do some mission analysis and say, this control system for power on this base is going to keep that mushroom doing what it’s doing, right? And there was a finite amount of money and there was a finite amount, you know, you could say, I’m not, I don’t need a gajillion dollars. I need this much. So then what John was really successful at doing at ANS was the strategic cybersecurity program, if those of you may not be familiar with it. And what John at the OSD level got really good at is looking at, you know, certain weapons systems and certain infrastructure that was dependent on each other and how could you then cross these two over. And I think the story of it was when there were people that could kind of be given a lot of rope, right? And one of the, I guess one of the jokes would be out of this is when the secretary of the Navy said write a strategy, that’s Pentagon terms for get out of my office for six months, right? And I called it the, I call it the tennis ball that he just threw down the E-ring in the Pentagon and be like, go chase this, leave me alone for six months. And when you came back six months later, the joke was, I didn’t come back with the tennis ball. I came back with this severed foot. And they’re like, where’d you find that? Well, the tennis ball bounced down into this room that nobody’s been in in a hundred years. And when you open this room up, oh my God, look at the things you found in here. And I think that was one of the fun things that have kind of being unconstrained to run sort of fast and loose in the department. You found some really interesting things over a period of time. Now, how you try to then get people who were the mission owners or the people, the resource sponsors or the requirement owners to then prioritize these, this is I think where the problem sits right now. But again, again, I tip my hat to the Air Force in particular for the Crocs office for what Darrell Hagley is doing. He doesn’t get it. I’m going to pitch Darrell Hagley. You got to give that guy a little bit more support and effort because he’s doing some amazing things to ensure that the Air Force is going to be able to do a lot of its mission set moving forward. So go Darrell.

Charleen Laughlin:

I don’t even think he’s here.

Brad Pyburn:

He’s not.

Christopher P. Cleary:

Darrell’s not here. He should be. He was here yesterday.

Charleen Laughlin:

Yeah, he was. No, I really appreciate that. I think all of those insights right across that increasingly dynamic architecture. I want to step it up a little bit now and I want to throw in autonomy and AI. Ron, you mentioned this is a buzzword. So we’re circling back to that. So, you know, as autonomous and semi-autonomous spacecraft take on more operational roles, they introduce new cyber terrain that we’ve now got to understand and defend. And so, Alice, we’re going to start with you on this. How do autonomy and advances in AI change the way that we should be thinking about securing and enabling cyber defense in space?

Alice Fakir:

Yeah, this is a hot topic, obviously, because we’re all experimenting with AI. We’re trying to bring it into the enterprise. Our adversaries are already using it. It’s a democratized capability. So accessibility of it is everywhere. And the biggest challenge that we face is twofold. First, how do we make sure that the AI we’re using and introducing into our enterprise environments is secure and doesn’t create additional problems? It’s very easy to allow the large language models to get poisoned by bad data or misuse by an insider. But how are we recognizing when it’s being used to attack us? So one of the things I want to harken back to something that my panel member up here mentioned, Ron, was around the Ukraine war and how they were able to track and understand TTPs in this space. It is very important to recognize the value of threat intelligence when you’re looking at a mission operations space. I mean, I’m talking to the right audience here who understands this. But I think in the enterprise IT space where we’re supporting through mission systems and the application layers that support all of these ground to air transportation systems and communication systems, that sometimes those things get lost. And there was a very robust conversation about how burdensome the risk management framework has come to be. And we’re adding this layer of secure by design and we’re adding this layer of CMMC and all these different requirements that seem to be very temporal, right? It’s a state in time on these things. And we recognize that AI doesn’t have that state in time. AI is evolving. Our attack vectors are continuously evolving. And one of the things that we noticed even within IBM, we’re both a technology company and a services company. We recognize how to bring the right technologies and build them to bring them into the mission. We, in the early days of the Ukraine war also, we support a threat intelligence platform. It’s mostly used in the commercial space. It’s used in 40 different countries. We have 2,500 different cybersecurity analysts that engage with our security platform. And we also saw the campaigns happening and provided some early warning signs to Department of Homeland Security, the JCDC, as well as our European Intel counterparts. The challenge became how do we stop these things from being such a disruptor to our mission? And so when we start talking about AI, the importance of using it, I cannot stress enough the criticality of understanding and learning how to use AI and bring it into your domain. Our cyber operators are undermanned and understaffed. And the ability to create, you know, we’ve got a capability we’re calling cyber agent, which is almost like a SOC analyst copilot. It’s a threat intel analyst copilot. It’s sitting there. It’s available for you to leverage, much like you’re using chat GPT to augment your own daily, you know, interests. It’s something that is focused in being able to quickly understand a TTP and map it to the MITRE ATT&CK framework and then figure out how do I defend or how do I recover if you’re recognizing there’s something that happens within that incident. We have to move at the speed of AI because it is taking — it’s taking shape at a capacity and a velocity that we are not personally, you know, well-equipped — this is my personal opinion — well-equipped to provide. Certainly there are pockets in industry that do that. The next capability I want to talk about is in the post-quantum cryptography space and encryption. When we look at these mission systems that both of my colleagues here have talked about supporting the criticality of something during a mission or during wartime, how do we make sure that communications are not being intercepted? It’s not just a harvest now, decrypt later fear that someone’s going to give access to our secrets. That’s very real. But when the era of quantum computing comes into play, it’s going to be able to decrypt synonymously, like near real time, when — you know, during these mission comms. And so if we don’t have the ability to become crypto-agile in support of these mission systems, land, air, sea, we’re going to be challenged by our ability to execute against the mission. There are issues like compression standards, microchips that need to be manufactured that can handle this scale at a light weight with relative stability, right, durability during these missions. We need to make sure that we’re building towards those things. And so we look at our national security landscape. It’s such an imperative in my mind that we all take the need for AI and post-quantum cryptography forward. These encryption standards are important. We need to start understanding how they play into our mission space because it could be a really bad day when something gets flipped and there’s a mission and things haven’t been tested because of the interconnectedness of all of these different systems. So I’ll pause there.

Charleen Laughlin:

Thank you so much, Alice. I think crypto-modernization is another topic that we’ll have to add to the support group that we created before this panel. Brad, I’m going to go to you to finish up with a bonus question. If you had to choose between more automation or more human oversight and space cyber defense, where would you place the balance and why?

Brad Pyburn:

Well, we just had a really great explanation for why, you know, automation and AI is really important. When you think about the speed, the scale, you know, we’ve talked about that this week of our adversaries. And our adversaries are many, right, whether it’s a nation state, it’s a criminal enterprise, it’s Bill and Ted in their basement, you know, with a candy bar. It’s democratized, right, and they’re using AI already. And the scale, scope, pervasiveness of these attacks are coming at us from every angle. So we have to be better than that. When I say we, I’m talking about the department, the nation, the defense industrial base, the great people on stage right now. We have to work together carefully to make sure that we’re ahead of that threat and we can meet the demand of our national security. So I would say I would caution us to think about ever going completely away from human interaction. I think about it like an F-35 with CCAs. And you’re always going to have wingmen. You mentioned the capability that you guys have developed. I think about it in that respect. You ought to have AI capability, agent, agentic warfare, I don’t know if that’s a thing. But this idea that you have all these great capabilities arrayed across your ecosystem to make you more capable, more defensive. But we’re always going to need humans on the loop, not in the loop. And I think that’s the differentiation. The AI will make really great decisions and recommendations, but we’re always going to need a human in control. I think that’s the piece. So I would say certainly more automation where it makes sense, especially when you think about space capabilities, ground segments, uplinks, downlinks. Space architectures, crosslinks. All these different things that you have to think about. Defenders have to be perfect everywhere. The offensive team only has to get it right once. And the last thing I’ll say is you need to assume the position of a breach. And that can be scary. And we talked about this when we were having our RMF therapy session earlier, which is you can build a perfectly RMF-approved, CMMC-approved defensible system. And then the adversary gets a vote. And then what are you going to do? So you’ve got to build in that ability to fight through whatever is happening so you can deliver the effects, complete the mission, distribute the orders, whatever it is you’re trying to accomplish. The way we’re going to continue to be the best in the world as a nation is to layer in that AI capability, that automation with humans on the loop.

Charleen Laughlin:

Awesome. Thank you. Now, I know these have all been really easy questions, softballs that I’m throwing you, or I guess tennis ball if I’m speaking the Navy lingo. The last easy topic that I want to cover is acquisition reform and cyber. So if you heard the CSO talk today, you heard him talk about really the shakeup in the department’s acquisition processes and the need for us to ensure that acquisition is aligned closely with operations so that we can be rapidly generating new capabilities to the field. A little over a year ago, the Space Force released our commercial space strategy, and that was really to signal a clear intent with industry to work differently and prioritize speed, integration, and hybrid architectures. Then more recently, the department announced a major overhaul of JSAID’s, the Joint Capabilities Integration and Development System, to better align with modern threats and operational realities. So final question, as industry leaders and cybersecurity experts, and some of you having done hard time in the department, what advice do you have for us in the department to ensure that cyber resilience is foundational element in our evolving acquisition processes? And because this is such a big question, I’ve sliced it up for you all based on your perspective. So Brad, I want to go back to you to talk about some of the thoughts you might have from your time organizing training and equipping while you were the chief of staff at CyberComm.

Brad Pyburn:

Yeah, I think it’s really three things. The first is authorities. The department has a ton of authorities from acquisition speed and mobility and agility and all the ilities that sometimes aren’t used to their complete effectiveness for lots of reasons. And so understanding what authorities you have, leveraging those, and getting the most we can collectively out of those authorities. You know, OTAs and CSOs and those kinds of things. I think the second piece of that is you can call it organization, you can call it structure, but I think about it as you need a place and an ecosystem to innovate. And there’s lots of examples already across the department. I’m not talking about recreating things, AFWERX, SoftWorks, DIU. There’s lots of things that are already out there. But when I think about space operations, where do you go to engage with traditional and nontraditional vendors in a way that you can practice and experiment and fail and learn and rapidly build new things in a way that balances the risk across the ecosystem but allows the team to develop this and perfect it in a way that it’s put into production. Then it goes to the FAR. It goes to normal acquisition pathways if that’s the next step in that piece. And the last thing I would say is culture, which is General Hyten said it best. You know, we become afraid to fail. And I’ll quote Jeff Bezos who said, really interesting discussion, I listened to him talk about this. He said, we don’t fail during operations. We fail during experiments. And we talk about failing, we never put that categorization on it. If I’m experimenting and prototyping and learning, it’s okay. In fact, I want to fail so that when I get into operations, I’m successful. So I think it’s those three things.

Charleen Laughlin:

Awesome. Ron, I’m going to pass it to you now. I’d love to hear your thoughts about cybersecurity and acquisition and specifically the authorization and accreditation processes.

Ron Bushar:

Yeah, I mean, I would say that, you know, I have the privilege and maybe the nightmare right now being at the tip of the spear of this when it comes to getting commercial solutions accredited for military use or for Department of Defense and national security use, right? And we’re at a moment, we talked about AI, right? If you look at the investments that are happening in AI, I think it’s half of our entire GDP this year is being spent in some way, shape or form on AI infrastructure. You look at the $400 billion invested this year in CapEx, right? That’s data centers, that’s chips, that’s all this. Like, the only way that if AI is part of your mission at all anywhere, the way you’re going to get to those capabilities is through commercial means. So, how do we get to a place, and I just talked about how traditional commercial vendors could be susceptible to having brittle infrastructure in the example of Viasat, right? Like, they weren’t aware of the fact that, A, they were a target and, B, that they were vulnerable to that sort of attack. So, we have to find a balance of speed to acquisition and speed to procurement of commercial solutions, especially as it deals with transformational technology, because most of that today is coming out of the commercial sector in one way, shape, or form, and it’s being modified or applied to mission. At the same time, not accepting that because it’s commercial, it’s going to be vulnerable or it’s going to be too risky, right? And that slows us down. So, we’ve built this whole framework. We’ve got IL, we’ve got FedRAMP. A lot of it relies on kind of traditional. We talked about checkbox compliance, baselining, all those sort of things. It’s super slow. In many cases, it’s inaccurate or it gives you a sense of comfort, but in reality, again, the adversary is 10 steps ahead of you from a technology perspective. So, trying to find a balance of acquiring, maybe what you said is right, like we have to be able to prototype these things in an environment and purple team them, red team them, actually evaluate them in real-world scenarios using realistic malware and tooling and TTPs that we know our adversaries are using against us. And then have this mindset that different missions probably require different levels of assurance, right? Like if it’s a coalition environment and it’s only stood up for a short period of time and you need to move lots of data around and you want to put AI at the edge, maybe you can live with a little bit more risk in that system. It doesn’t need the full resiliency that we would put into a weapons platform type of thing, right, versus enduring strategic assets where we want to spend much more time and effort and careful consideration in the way we acquire those systems. So, I just think flexibility, I mean, I’m going to go back to my Air Force days, one of the key tenets of air power is flexibility. We’ve got to figure out how to incorporate flexibility in the way we acquire new capabilities and technology and apply them to mission in a smart way. All right.

Charleen Laughlin:

Chris, you mentioned strategic cybersecurity program earlier, right? And I know we’re getting down to the last couple of minutes, but one of our findings with respect to the SCP was that a lot of the legacy systems we were assessing were built before we had cybersecurity requirements. So, any parting thoughts on the requirements process itself and in particular requirements creep?

Christopher P. Cleary:

Yeah, and again, this is one where I’ll channel John Garska again who actually gives a really good talk when he talks about space systems, something that went up 20 years ago where this wasn’t a threat vector at the time. How do you begin to — what do you do to assure that until you replace that platform? You’ve got to — you know, and this is when you get to the infrastructure pieces or is it — whatever its other dependencies that it has. But I think moving forward, I mean, it’s sort of intelligent design and force design. You know, one of the things I think we saw in the Navy or probably all the services struggle with this is something new comes into the space. And, you know, a couple years ago it was you’d bolt on cyber afterwards. At least now as new programs — I’ll use the constellation class frigate as an example for the Navy. You know, as that was going through its design phase, they were trying to do cybersecurity, you know, and survivability and resiliency up front as opposed to say we have to go — this is all a back cost that we’re going to do afterwards. But what you found is in the organization there really wasn’t that one belly button you could go after to say this organization, this entity is overall, you know, the intelligent design of this whole platform to include cyber survivability was at the table all the time. So I guess when you think about future systems, is there a different way that we even do the requirements process because it moves so quickly, right? It doesn’t fit into JACE. It certainly doesn’t fit into the POM process when I’m trying to think about buying something three to five years down the road. We all know the environment is going to change. Can you just have a — I know this is heresy, but could you just have a — slush fund. That’s probably not the right word I should use. Some other pool of money that can be more dynamic with that I don’t have to POM for three years in advance. I know I’m going to have some requirement three years down the road. I just know there needs to be a pool of money for people to be able to go to to add this new requirement or this new technology or this new thing to it. And I think that’s probably one of the things that’s got to be thought through.

Charleen Laughlin:

That’s great. Slush fund made me think of slushies and now I’m thirsty. So I’m glad we’re wrapping up. Alice, we’re going to finish with you. You know, we were talking before the panel about how of all of the folks on stage you’re the one who hasn’t actually done time in government. But your entire career you’ve kind of orbited us and judged us, I’m sure. So what advice would you have for us as we are looking at rethinking our acquisition process?

Alice Fakir:

Yeah, I would say thank you for that. I kind of feel like I’m getting caught leaving the Pentagon at midnight with these lights glaring. I would say don’t be afraid to ask industry to meet you where you are. I know that’s an overused term, but there’s a lot of investment we make that you never hear about it because there’s not an opportunity to have the dialogue. Most of us are here ready, willing to receive your phone calls, ask us for time to solve a hard problem. We’re willing to go at it with you. I don’t think that on the government side they recognize the power of this collective thinking that we can bring together. And there’s no contract required. There’s no cost of it other than your time. But we’re here for you.

Charleen Laughlin:

All right. Well, I think that’s a wrap. I really appreciate everybody being here. I very much appreciate the insights of our panel members. If we could just give them a round of applause.